FIPS-Certified Cryptographic Library

Tectia Client, ConnectSecure, and Server can be operated in FIPS mode, using a
version of the cryptographic library that has been certified according to
the Federal Information Processing Standard (FIPS) 140-2.

The full OpenSSL cryptographic library is distributed with Tectia ConnectSecure. However, only
the algorithms provided by the fipscanister object module in the library are used by Tectia ConnectSecure.
The OpenSSL FIPS-certified cryptographic library is used to provide the classes of functions listed in the
following tables.

The functions from the OpenSSL library version 1.0.2a used on Linux, Windows, Solaris and
HP-UX Itanium (IA-64) are listed in Table 3.1. On these platforms, the
fipscanister object module version 2.0.9 is used.

The functions from the OpenSSL library version 0.9.8 used on HP-UX PA-RISC and IBM AIX are
listed in Table 3.2. On these platforms, the
fipscanister object module version 1.2 is used.

Table 3.1. APIs used from the OpenSSL cryptographic library version 1.0.2a
(used on Linux, Windows, Solaris and HP-UX Itanium)

API

Description

Functions from OpenSSL

Random numbers

AES/CTR DRBG based on NIST SP800-90A is used from the OpenSSL library.

RAND_get_rand_method()

AES ciphers

Variants: ecb, cbc, cfb, ofb, ctr

EVP_aes*

3DES ciphers

Variants: ecb, cbc, cfb, ofb

EVP_des_ede3_*

Math library

Bignum math library used by OpenSSL.

BN_*

Diffie Hellman

DH_*, ECDH_*

Hash functions

Variants: sha1, sha-224, sha-256, sha-384, sha-512

EVP_sha*

Public Key

Variants: rsa, dsa, ecdsa

RSA_*, DSA_*, ECDSA_*

Table 3.2. APIs used from the OpenSSL cryptographic library version 0.9.8
(used on HP-UX PA-RISC and IBM AIX)

API

Description

Functions from OpenSSL

Random numbers

FIPS-approved AES PRNG based on ANSI X9.32 is used from the OpenSSL library.

FIPS_rand_*

AES ciphers

Variants: ecb, cbc, cfb, ofb, ctr

AES_*

DES ciphers

Variants: ecb, cbc, cfb, ofb

DES_*

3DES ciphers

Variants: ecb, cbc, cfb, ofb

DES_*

Math library

Bignum math library used by OpenSSL.

BN_*

Diffie Hellman

DH_*

Hash functions

Variants: sha1, sha-224, sha-256, sha-384, sha-512

SHA1_*, SHA256_*, SHA512_*

Public Key

Variants: rsa and dsa

RSA_*, DSA_*

No certificate functions are used from the OpenSSL library. Tectia
provides its own certificate libraries.